Hiding OIC IP from 3rd Party Applications using OCI APIGW

Most of the times in Production scenarios, we will have to build an OIC Integration which would be making calls to External Applications which are outside your Network and which are behind their respective Firewalls.

In such cases, you will be asked to share the IP to whitelist and most of the customers are ok with it. BUT, it is not advisable to share your OIC Instance IP or OIC Instance CIDR range with 3rd Party Applications outside your/OCI network.

Architecture

The solution for this is OCI APIGW and the architecture to achieve this is as below:

In this approach, you aren’t sharing the IP Address or CIDR range of your OIC Instance, instead you’ll share the IP Address of APIGW.

Implementation Steps

The above architecture can be implemented by following the below steps:

1. Create a deployment in OCI API Gateway (APIGW) where your route URL will be 3rd Party URL. You will have to pass credentials shared by 3rd Party to make call. To pass credentials from APIGW to 3rd party can be achieved by either of Methods 1 or 2 from this blog. For demonstration purpose I’ll be going with approach#2 where I’ll hardcoded creds in Base64 format on APIGW and activate the deployment.
2. Create a REST Connection in OIC with Connection Type as “REST API Base URL”, update Connection URL with APIGW Deployment endpoint and Security Policy as “No Security Policy” (as you are making call to APIGW where you have already hardcoded 3rd Party credentials).
3. In your Integration you can use this Integration and make call to third Party application.

Implementation Demo

1. For the purpose of demo as I don’t have any 3rd Party application/endpoint. I’ll create an Integration which will call Dummy REST API “https://dummy.restapiexample.com/api/v1/employees”.

Output of Dummy REST API call

REST Connection to call Dummy REST endpoint

Dummy Child Integration which calls the Dummy REST API

Output of Dummy Child Integration which calls Dummy REST API

2. This Child Integration is considered as 3rd Party endpoint and keeping it behind OCI APIGW, where I’ll hardcoded credentials in Base64 format.

OIC Child Integration endpoint aka 3rd Party endpoint

OIC Child Integration aka 3rd Party API creds configured in APIGW

OIC endpoint aka 3rd Party endpoint deployment on APIGW

OCI APIGW call Test

3. The Parent OIC Integration will be making call to APIGW deployment endpoint from OIC as REST API call (where we have configured 3rd Party endpoint)

Configuring APIGW endpoint as REST Connection in OIC

Parent REST Integration calling OCI APIGW endpoint

OIC Integration calling 3rd Party Appl. which is behind OCI APIGW

NOTE: For the purpose of this blog, I have hardcoded credentials on APIGW. You can follow any of the other approaches as mentioned here for your requirements.

!!! Happy Reading !!!